summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorHombreLaser <sebastian-440@live.com>2023-03-11 12:10:57 -0600
committerHombreLaser <sebastian-440@live.com>2023-03-11 12:10:57 -0600
commit3dae1ce143d006cc75940b746a8eb74982e6e861 (patch)
tree5bfa59dfd11bbfc9b8ef2a38da067e0c2ca0da42 /app
parent6b3cc5c3a33643c0e42396142a2d3204ada2bb82 (diff)
Añade test de scoping
Diffstat (limited to 'app')
-rw-r--r--app/controllers/api/companies_controller.rb2
-rw-r--r--app/controllers/authenticated_controller.rb6
-rw-r--r--app/controllers/master_controller.rb2
3 files changed, 8 insertions, 2 deletions
diff --git a/app/controllers/api/companies_controller.rb b/app/controllers/api/companies_controller.rb
index 9d6cb1c..21744de 100644
--- a/app/controllers/api/companies_controller.rb
+++ b/app/controllers/api/companies_controller.rb
@@ -4,7 +4,7 @@ module Api
# CompaniesController
class CompaniesController < MasterController
skip_before_action :validate_jwt, only: %i[show index]
- skip_before_action :assert_master_role, onlt: %i[show index]
+ skip_before_action :assert_master_role, only: %i[show index]
def index
@companies = Company.all
diff --git a/app/controllers/authenticated_controller.rb b/app/controllers/authenticated_controller.rb
index de02cab..56159ab 100644
--- a/app/controllers/authenticated_controller.rb
+++ b/app/controllers/authenticated_controller.rb
@@ -13,6 +13,12 @@ class AuthenticatedController < ApplicationController
@current_user_account ||= UserAccount.find_by(email:)
end
+ def current_user_role
+ return if decoded_token.nil?
+
+ decoded_token[0]['aud']
+ end
+
def authentication_token
@authentication_token ||= request.headers[:authorization]&.sub(/^Bearer /, '')
end
diff --git a/app/controllers/master_controller.rb b/app/controllers/master_controller.rb
index b2075d5..38cd441 100644
--- a/app/controllers/master_controller.rb
+++ b/app/controllers/master_controller.rb
@@ -7,7 +7,7 @@ class MasterController < AuthenticatedController
private
def assert_master_role
- return if current_user_account.role == 'master'
+ return if current_user_role == 'master'
render json: { error_message: 'No cuenta con los permisos necesarios' }, status: :forbidden
end